Security and privacy: a must for the Internet of Things

The Internet of Things, connecting billions of devices to the internet, promises to deliver great applications. But if we want the Internet of Things to be secure and private, we will have to rethink its architecture. Professor Bart Preneel of iMinds – KU Leuven sees two solutions: using open standards and processing data as locally as possible instead of sending them to the cloud. He calls on the developers of Internet of Things applications to implement a secure architecture before rolling out the technology. “This is the only way we can prevent that users will throw away their connected devices in a later stage.”

The Internet of Things

The Internet of Things can be considered a next step in the information revolution. It will completely change the way we live and work. Billions of devices will be connected to the internet and will provide a constant flow of information. They will monitor our health, make our cars safer and improve the energy efficiency of our domestic appliances. Bart Preneel: “This evolution is also ongoing beyond our private life. Public buildings are provided with ever more smart sensors, actuators and cameras. Even energy companies that supply power to our homes are increasingly automating their processes. The Internet of Things will create unprecedented opportunities. It will help us to make better decisions in many aspects of our lives.” But the evolution has a downside as well. With the Internet of Things growing, and technology and society becoming increasingly intertwined, we risk losing control. Bart Preneel: “All kinds of devices monitor what we do, how healthy we are and where we are. And all this information is sent to the cloud. Without wanting it, all this info is shared with unwanted parties. Besides threatening our privacy, the Internet of Things also comes with a number of security challenges.”

Privacy and security

Surfers on the internet have undoubtedly experienced the risk of losing their privacy. You look for a charming holiday destination, and the weeks thereafter, travel tips appear on your screen unwittingly. Bart Preneel: “This datamining can also be applied to the information that is sent to the cloud by your wearable health device. What if these data are shared with your insurance company, that uses the information to decide whether you will get an insurance or not? Apart from that, we face a number of security challenges. Take a look at the medical world, which more and more evolves into a world where patients are followed in real time by medical devices that connect to the internet. In the near future, doctors will be able to adapt the settings of e.g. a pacemaker or an insulin pump via the internet. With today’s technology, it is not unthinkable that hackers will do the same and administer a fatal dose of insulin. Or adjust the settings of a pacemaker so that its wearer will die. Academic studies have shown that this is possible. Or take another example. A few months ago, unknown individuals were able to bring down the power supply in Ukraine by means of a cyberattack. It is clear that the development of a more private and secure Internet of Things will come with huge challenges.”

Open standards

There is no need to panic. Technologically, it is possible to create a safer and more private Internet of Things. One of the steps forward consists in the use of open solutions. Bart Preneel: “Today, the Internet of Things is mainly built on closed source software. This means that the source code of the software is not freely accessible and APIs (Application Program Interfaces) and data formats are not publicly available. As such, the processing of data is not transparent, and potential privacy and security risks cannot be detected and investigated. We therefore call for using open source software and standards. In principle, these allow for more thorough checks and bug reporting. But that does not always happen: what we really need is a governance system to manage all this.” Unfortunately, the use of open software is not straightforward. It opposes to some of today’s commercial business models, that found their entrance via the internet. Bart Preneel: “These business models aim at profiling the user and send him customized advertisements. It might be the role of the policy makers to impose certain legislations upon the companies that deal with all these data.”

Solutions in hardware

Bart Preneel: “We should have a similar open source culture on the hardware side as well, applied to both servers and data, as well as to the consumer appliances. This implies the specs of mother boards and processors to become public. It would as well contribute to more transparency and less abuse.”

For a number of applications, implementing security solutions in hardware could be an interesting option. Bart Preneel: “In principle, it is preferable to implement security solutions in hardware. It is more compact, more secure and consumes less energy than security in software. This is especially interesting for small devices such as medical implants, that have to be extremely energy efficient. Hardware security implies the development of specific algorithms and protocols. And we have to develop the algorithms such that they consume less energy or less logic gates, and operate faster than a software implementation via the internet.”

Keeping data local

The scientists also prefer to keep data as local as possible. Bart Preneel: “Why sending all these data to the cloud? Why gathering all possible data only because it is technically possible? And why centralizing all these data? From the point of view of security and privacy, it is better to keep critical information in the devices themselves, and be more selective in which data you send to the cloud. Such a solution will probably be less efficient. It will always be more efficient and cheap to centralize data. But as a society, we will have to weigh the options and think about what is really important.”

Passionate research

Bart Preneel and his team are part of the research group of iMinds – KU Leuven that looks into the security of the internet and the Internet of Things. In this team, 70 people work enthusiastically on the development of crypto algorithms and protocols, on hardware implementations, on several aspects of privacy, and on specific applications – such as security and privacy aspects of drones. Bart Preneel: “We try to apply the newly developed architectures in practical projects. For example, several years ago we proposed an alternative to road pricing. A number of major foreign cities uses cameras to enable road pricing. Based on the pictures taken by the cameras, the location of the vehicles is tracked. Undoubtedly, this information is being stored. We have investigated the possibility of using small modules that are placed inside the cars. Each module contains a GPS system and computation power. It tracks and stores where you are driving, and uses this information to make an invoice, which is sent to you on a regular base. It is a model for road pricing that avoids sending data into the cloud. It is a good example of keeping data more local.”

Implementing the solutions in advance

Securing the Internet of Things must be done before the technology is deployed. Bart Preneel: “That’s important if we want to prevent users from opposing to these intelligent networks. That’s what recently happened in the Netherlands, where the consumers’ association opposed to the installation of smart energy meters in people’s houses. They were afraid that criminals would hack their meters. A few years ago, a similar incident happened when a big clothing brand decided to provide all the clothing with RFID tags. The tags could be read by e.g. different washing machines. The consumers rejected the idea, because they did not want to be trackable this way. So the tags had to be removed afterwards. We can no longer allow ourselves to roll out a new technology first, and clean up the mess afterwards.”

It is therefore important to bring together all the different players. Bart Preneel: “Every technology that you develop can be subject to abuses. But no one will stop you from reflecting in advance, and from adapting your architecture in a way that as much abuses as possible can be prevented. It will be key to build in security and privacy in an early stage of the development: security and privacy by design. Technology developers will have to learn to collaborate more intensively with experts in security and privacy. And we will have to come up with solutions that are almost as efficient and cheap as the current solutions. Only this way, we will prevent users from throwing away all these beautiful applications.”